Art
I think switching the dependency to XML Signature 1.0 is a bad idea, noting that 1.1 has fixed errors, and addressed security vulnerabilities, including updates to algorithms (other than ecc) to address known weaknesses.
details in http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/explain.html, 5.1, 5.5.1, 5.8, 6.6-6.8
I think the W3 team is actively working on the PAG issue but have no idea when we will see the result - one hope was before year end.
regards, Frederick
Frederick Hirsch
Nokia
On Dec 13, 2011, at 1:14 PM, Arthur Barstow wrote:
> Hi All,
>
> The Widgets DigSig spec [W-DigSig] has been sitting in PR for over 4 months now, blocked on the Elliptic Curve PAG [ECC-PAG]. AFAICT, this PAG has just started its unspecified length Fishing Expedition seeking some unspecified level of funds to pay for some type of analysis that will take some unknown amount of time to complete ...
>
> Given this, and not wanting to block on the ECC PAG any longer, what are the options to move widgets-digsig to REC ASAP?
>
> Some options:
>
> 1. Replace [XMLSig1.1] dependency with XMLSig 1.0. I presume this would require a new 3-week LC but the CR could be zero-length, presumably no re-testing would be required, and the only thing blocking PR->REC is the length of the new CfE that would be needed.
>
> 2. Move the tainted algorithm(s) in XMLSig1.1 to XMLSig1.Next so XMLSig1.1 is not affected by the PAG and XMLSig1.1 can then continue on the REC track.
>
> 3. Others?
>
> (#2 seems dead simple so I'm probably missing some things.)
>
> -AB
>
> [W-DigSig] http://www.w3.org/TR/widgets-digsig/
> [XMLSig1.1] http://www.w3.org/TR/xmldsig-core1/
> [ECC-PAG] http://www.w3.org/2011/02/xmlsec-pag-charter.html
>